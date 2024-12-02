The origin of the compromise remains unknown at this time, but the data comes from card-present transactions at numerous businesses in the country. Stealing payment details from card-present transactions is typically done through planting malware on systems that connect to PoS devices. In many incidents, the attack vector was a remote desktop connection protected by default or easy-to-guess password.

Therefore, one possible explanation could be that a point-of-sale (PoS) integrator was breached since these services interface with payment devices from multiple merchants. Citing researchers at Gemini Advisory that monitor card-related activities on cybercriminal forums, Bleeping Computer mentions that South Korean payment records were in low demand in 2018 as the fraudsters had a large supply available.

This changed in 2019 when the supply remained the same but demand increased, the online publication continued.

Another observation from the researchers is that 3.7% of the compromised South Korean records were from US-issued cards that belonged to US owners visiting South Korea.